Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0674: Detection of Calendar Entries

DET0674 is a mobile ATT&CK detection strategy associated with detecting attempts to access calendar entry data. The business issue is not the calendar itse...

MobileDET0674Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0674 is a mobile ATT&CK detection strategy associated with detecting attempts to access calendar entry data. The business issue is not the calendar itself, but the sensitive context it can expose: meetings, travel, participants, customer names, executive schedules, and operational plans. For leaders, this is a privacy, executive protection, and incident-scoping concern on Android and iOS devices.

Executive priority

Treat this as a mobile data-access visibility question: can the organization tell when an app or compromised/rooted/jailbroken device is accessing calendar data in a way that matters to privacy, compliance, or executive risk? Priority should be highest where managed mobile devices, executive devices, regulated communications, or sensitive operational calendars are in scope. Because the ATT&CK object provides no official detection logic, leaders should ask whether mobile device management, mobile threat defense, application permission governance, and incident response processes can produce defensible evidence for calendar-access events.

Technical view

This detection strategy detects T1636.001, Calendar Entries, in the mobile ATT&CK domain. The related technique notes Android Calendar Content Provider access and iOS EventKit framework access, with additional risk where devices are rooted or jailbroken because calendar data may be accessible without normal user approval. SOC and IR teams should validate what evidence is available for app calendar permissions, calendar access behavior, suspicious mobile app activity, and root/jailbreak state across Android and iOS. Since no official detection text, platforms, or tactics are specified on the detection-strategy object itself, detection engineering should be driven by the related technique context and local mobile telemetry capabilities.

Likely telemetry

  • Mobile device inventory and operating system type for Android and iOS devices
  • Application permission state for calendar access
  • Mobile device management or mobile threat defense alerts related to risky apps, permission abuse, rooting, or jailbreaking
  • Mobile application inventory, installation source, and app reputation or trust status
  • Device compliance posture, including root or jailbreak indicators

Detection direction

  • Confirm whether Android and iOS calendar permission grants are logged, retained, and searchable for managed devices.
  • Validate whether tooling can distinguish expected calendar access by approved productivity apps from unusual access by unapproved, newly installed, or risky apps.
  • Tune detections around context rather than permission presence alone, because legitimate calendar applications commonly require calendar access.
  • Prioritize alerts where calendar access coincides with root or jailbreak indicators, suspicious app installation, device noncompliance, or other mobile compromise signals.
  • Document blind spots for unmanaged personal devices, limited mobile telemetry, privacy constraints, and platforms where permission or API-level access is not centrally visible.

Mitigation priorities

  • Establish approved mobile app and permission governance for apps requesting calendar access.
  • Use mobile device management or equivalent controls to enforce device compliance and restrict access from rooted or jailbroken devices where policy allows.
  • Review high-risk user groups, such as executives or staff handling regulated or sensitive operations, for calendar data exposure pathways.
  • Ensure incident response playbooks include mobile evidence collection, app permission review, and root/jailbreak assessment when calendar data access is suspected.
  • Maintain compliance evidence showing how mobile calendar data access is governed, monitored, and investigated within the organization’s privacy and security requirements.
Analyst notes and limits

The strongest defensive value is in validating mobile telemetry coverage and permission governance, not in treating every calendar access event as malicious. Calendar access is common and often legitimate, so useful detection depends on device posture, app trust, user role, and surrounding compromise indicators.

The supplied ATT&CK detection-strategy object has no official description, no official detection text, no listed platforms, and no tactics. Android and iOS context comes from the relationship to T1636.001 Calendar Entries. Local environment data is required to determine actual visibility, control coverage, and investigation feasibility.

Official MITRE ATT&CK definition

Detection of Calendar Entries

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1636.001 Calendar Entries Sub-technique This object detects Calendar Entries.
Relationship explorer

All related ATT&CK context

detects · Technique T1636.001: Calendar Entries Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
eaab89ed40f804dc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle eaab89ed40f8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0674
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use